[00:04.520 --> 00:11.160]  Welcome to our latest Ethics Village Talk. We are very fortunate to have with us today
[00:11.160 --> 00:16.940]  Jessica Wilkerson from the FDA. Jessica, welcome. Thanks for taking time to talk to us.
[00:16.940 --> 00:20.840]  Thank you so much for... well, thank you so much for having me.
[00:21.480 --> 00:29.320]  So, first question, really kind of introductory. Tell us a bit about yourself. You've had a super
[00:29.320 --> 00:33.160]  exciting and interesting career. You've done a bunch of different policy things,
[00:33.160 --> 00:37.800]  all of which have been really important. Tell us a bit about yourself and how you ended up
[00:37.800 --> 00:45.140]  at the FDA. Sure. So, I don't know... I've had an exciting career development. That's good news.
[00:45.140 --> 00:52.900]  It's good to hear. But I... so, I'm currently at the FDA. I am a cyber policy advisor.
[00:53.320 --> 00:59.660]  So, I generally work with... across the FDA to do... to look at cybersecurity of medical devices,
[00:59.660 --> 01:05.760]  not necessarily in the review of them necessarily. I leave that to people who are much more qualified
[01:05.760 --> 01:13.680]  than I am. But looking at various concepts... I'm so sorry, my cat is causing me a whole bunch
[01:13.680 --> 01:18.840]  of problems. There we go. That's a bonus round here. That's totally allowed. If the cat has
[01:18.840 --> 01:24.900]  opinions on your career trajectory, that's totally welcome too. I'll be sure to quiz him later.
[01:26.180 --> 01:30.300]  But essentially, I look at things like software bill of materials, coordinated disclosure,
[01:30.720 --> 01:34.480]  things like legacy devices and others that I think we're going to get into a little bit later
[01:34.480 --> 01:41.840]  that from a higher level, more so than the review level, will really influence what it means for a
[01:41.840 --> 01:49.320]  medical device to be cyber secure. And I ended up at FDA through sort of a very winding process.
[01:49.320 --> 01:53.740]  And I guess I will work backwards to sort of explain how I ended up here and why
[01:54.340 --> 01:59.340]  a lot of the experience that I brought with me to the FDA is relevant. But prior to this,
[01:59.340 --> 02:03.120]  I was with the Linux Foundation. I was the Cybersecurity Research Director.
[02:03.500 --> 02:08.880]  And this really stemmed from a recognition that I had a few years ago that I think many other
[02:08.880 --> 02:15.240]  people had had much earlier than I had it. But essentially around this reality that open source
[02:15.240 --> 02:20.960]  software isn't everything. Everything is built out of open source software. It is the basis of
[02:20.960 --> 02:27.540]  modern technology today. And so if we want to have cyber secure products and cyber safe products,
[02:27.540 --> 02:31.940]  we have to have secure and safe open source software. And you know,
[02:32.460 --> 02:36.380]  given the characteristics of the open source ecosystem, that is a more challenging
[02:37.160 --> 02:42.500]  undertaking than it traditionally is in more proprietary or closed source software.
[02:42.600 --> 02:46.180]  And so I spent a year with the Linux Foundation really examining those issues.
[02:46.860 --> 02:52.340]  But the bulk of my experience really came from working with the United States Congress.
[02:52.360 --> 02:58.120]  I was a professional staff member and then had a few other titles throughout my time there.
[02:58.120 --> 03:01.360]  But I spent five and a half years with the Committee on Energy and Commerce
[03:01.360 --> 03:07.600]  doing cybersecurity issues. And so the thing to really know about the Committee on Energy and
[03:07.600 --> 03:16.120]  Commerce is that when it comes to congressional committees who have jurisdiction, Energy and
[03:16.120 --> 03:21.620]  Commerce is on a hill. So they have jurisdiction over energy, over healthcare, over telecommunications,
[03:21.620 --> 03:26.720]  over commercial issues, over... I'm missing a very obvious one that I can't think of.
[03:26.720 --> 03:34.900]  But they have jurisdiction over so much. And as technology has continued to weave its way into
[03:34.900 --> 03:40.720]  the fabric of daily society, what that means is that the sectors and the issues that Energy and
[03:40.720 --> 03:45.560]  Commerce has jurisdiction over began to do the same. So everything that we were doing
[03:45.560 --> 03:51.400]  in a lot of cases ended up taking on a cybersecurity bent. So I ended up looking at just this whole
[03:51.400 --> 03:56.820]  host of things when I was working for Energy and Commerce. Things all along the spectrum from
[03:58.160 --> 04:02.840]  the way that the federal government divides authority between different federal agencies
[04:02.840 --> 04:07.060]  like the Department of Health and Human Services or Homeland Security or the Department of Energy
[04:07.060 --> 04:12.900]  when it comes to cybersecurity emergency response. I looked at things like the 2017
[04:13.900 --> 04:17.360]  ransomware outbreak and what that meant and what kind of things that that had.
[04:18.640 --> 04:22.960]  Just sort of all across the board. And what ended up happening is the last couple of years that I
[04:22.960 --> 04:30.060]  was there was really starting to represent the shift in the healthcare sector's mentality to
[04:30.060 --> 04:35.820]  recognize that cybersecurity wasn't just this little tiny part of their lives where you could
[04:35.820 --> 04:41.020]  have the IT people sort of off in their corner or their basement doing whatever it is, mystical arts
[04:41.020 --> 04:46.780]  that IT people do. But this was a thing that affected patients. It was a patient safety issue
[04:46.780 --> 04:52.020]  and that they needed to be paying attention to it. And so I was really privileged in a lot of ways
[04:52.020 --> 04:58.420]  to be there sort of at the cusp of this realization and sort of work with many parts of the healthcare
[04:58.420 --> 05:05.500]  sector to develop it as it began to go. So I worked with the Food and Drug Administration
[05:05.500 --> 05:10.360]  where I now sit and others to really encourage the healthcare sector to adopt software-available
[05:10.360 --> 05:15.440]  materials. We were huge advocates when I was on the Committee of Coordinated Disclosure.
[05:16.000 --> 05:20.060]  And we were starting to look at things like old and outdated medical devices and things like that
[05:20.060 --> 05:26.960]  and what should be done. So sort of through that spectrum of experience, starting with
[05:26.960 --> 05:30.900]  Energy and Commerce going to the Lawrence Foundation and then ending up at FDA,
[05:31.720 --> 05:36.040]  what I hope to bring, what I try to bring is just this very broad
[05:38.160 --> 05:43.620]  breadth of experience on these various cyber security issues that help inform the way that
[05:43.620 --> 05:52.920]  we approach, as an agency, cyber security. It's all about the wizards in the dark corners, right?
[05:53.160 --> 05:58.280]  Yes. So what types of issues do you work on today at FDA? You've mentioned Coordinated
[05:58.280 --> 06:03.840]  Vulnerability Disclosure and probably policy stuff. What can you tell us about the issues
[06:03.840 --> 06:09.920]  that you encounter on a regular basis? Yeah, so I think they generally tend to split into
[06:09.920 --> 06:17.680]  two buckets. There are the sort of the internal agency machination issues where, speaking of
[06:17.680 --> 06:22.260]  Coordinated Disclosure and software-available materials and these things, medical device
[06:22.260 --> 06:26.540]  vulnerabilities or cyber security vulnerabilities that are relevant to medical devices come in
[06:26.540 --> 06:31.640]  on a very regular basis. And the agency has to look at those vulnerabilities and decide
[06:31.640 --> 06:34.780]  what do we need to do with them? What do we need to do with them and what do we
[06:34.780 --> 06:39.800]  need our stakeholders to be doing with them? And so I spend a significant part of my day working
[06:39.800 --> 06:45.360]  with dedicated experts within the agency looking at cyber security vulnerabilities that might impact
[06:45.360 --> 06:51.800]  medical devices and ensuring that not only FDA but the sector as a whole is doing what it needs
[06:51.800 --> 06:59.440]  to do. This often involves third-party security researchers who either bring vulnerability
[06:59.440 --> 07:05.140]  information directly to us or, on an increasing basis, which we like, they go directly to the
[07:05.140 --> 07:09.940]  manufacturer. And the manufacturers, medical device manufacturers, have certainly matured
[07:09.940 --> 07:14.720]  over the last couple of years to the point where when a security researcher knocks at their door,
[07:14.720 --> 07:19.660]  they're not sort of running around like chickens with their heads cut off, freaking out. They're
[07:19.660 --> 07:22.780]  actually like, oh, yes, great, please come in. Tell us everything you know about this
[07:22.780 --> 07:28.720]  vulnerability. Let us work together to address it, which has been a very, very positive development
[07:28.720 --> 07:36.000]  overall. We are also very much hard at work on just continuously updating FDA's cyber security
[07:37.140 --> 07:42.360]  processes, policies, all of that when it comes to looking at the cyber security of medical devices.
[07:44.040 --> 07:49.100]  Technology evolves on a constant basis, which means that FDA's procedures can't be static.
[07:49.100 --> 07:53.720]  So on a day-to-day basis, we have to continuously re-evaluate the way that we approach cyber
[07:53.720 --> 07:58.000]  security. And if we need to make adjustments to our own process or encourage adjustments
[07:58.000 --> 08:03.380]  in the sector as a whole, that's another thing that I spend quite a bit of my time doing.
[08:03.800 --> 08:08.900]  The last thing that I would just touch on relatively quickly is there are all of these
[08:08.900 --> 08:14.700]  private partnerships that exist out in the sector. And some of the ones that we end up
[08:14.700 --> 08:19.260]  working with the most are the Healthcare Sector Coordinating Council, which is just a very valuable
[08:19.260 --> 08:25.840]  body to us where government and private sector just come together. Really, I think almost anybody
[08:25.840 --> 08:30.560]  can join. The executive director might have some words with me about that, but I think it's pretty
[08:30.560 --> 08:37.380]  open. And we talk about the issues of the day. I'm actually co-leading two task groups underneath
[08:37.380 --> 08:42.560]  that group. One to look at legacy devices and try and figure out what we do with old stuff. How do
[08:42.560 --> 08:46.480]  we get old stuff out of hospitals? How do we make sure that new stuff doesn't become old stuff too
[08:46.480 --> 08:53.340]  soon? And then another one on vulnerability communications, because I think what we've seen
[08:53.340 --> 09:01.200]  on an increasing basis is where your typical cybersecurity advisory being like, hey, there's a
[09:01.200 --> 09:06.280]  problem. They're hard to understand. I mean, you really kind of have to have a lot of background
[09:06.440 --> 09:11.100]  and a lot of technical expertise to be able to read a cybersecurity advisory and understand what
[09:11.100 --> 09:15.960]  it's telling you and know what you're supposed to do. Well, if you're a patient just trying to be
[09:15.960 --> 09:20.360]  like, hey, I heard there was a vulnerability in my pacemaker. What do I do? And you're not
[09:20.440 --> 09:26.420]  a computer science expert. You're going to have very little idea what you're actually being told.
[09:26.860 --> 09:29.680]  And so that's a huge problem. That's something that we're trying to address.
[09:30.240 --> 09:32.820]  So it's another thing that I work on on a day-to-day basis.
[09:34.880 --> 09:39.020]  So you mentioned the FDA guidance. Can you give us just a really quick thumbnail sketch of the
[09:39.020 --> 09:44.120]  pre-market, post-market guidance, kind of the overall regime of the way that FDA approaches
[09:44.120 --> 09:52.200]  security vulnerability disclosure? Yeah. So if you think of a device,
[09:52.200 --> 09:59.460]  if you think of the lifetime of a device, it sort of has probably four stages. You've got
[09:59.460 --> 10:03.740]  the pre-market stage where it's being developed, it's being designed, and then it's being presented
[10:03.740 --> 10:09.920]  to FDA by a company to essentially say, we want to put this device on the market. And that's the
[10:09.920 --> 10:18.160]  pre-market stage. And so during the pre-market stage, what FDA does is that device is essentially
[10:18.160 --> 10:24.240]  reviewed and the standard there is, does this device provide a reasonable assurance of safety
[10:24.240 --> 10:28.220]  and effectiveness? Now that goes beyond cybersecurity. That is literally, even from
[10:28.220 --> 10:32.300]  like a physical machinations perspective, does this thing do what it's supposed to do in a safe
[10:32.300 --> 10:38.560]  and effective way? But obviously that counts for cybersecurity too. So from the cybersecurity
[10:38.560 --> 10:43.960]  perspective in pre-market, our reviewers look at these devices, they look at the security controls
[10:43.960 --> 10:49.140]  that are built into it, and they essentially evaluate, are these good enough? Are these
[10:49.140 --> 10:53.280]  sufficient? Do these do what they need to do to protect the device from cybersecurity threats
[10:53.280 --> 10:59.420]  and therefore protect the patients? If medical device manufacturers manage to pass the pre-market
[10:59.420 --> 11:05.400]  stage, then they obviously get to put the device onto the market. And then that is known as the
[11:05.400 --> 11:10.720]  post-market stage. And so once the device is there, once it's in the marketplace,
[11:11.940 --> 11:17.800]  there's also guidance that FDA has put out around what do you need to do? Because as we all know,
[11:17.800 --> 11:22.840]  there is no such thing as a 100% secure product. And something that is secure today is not
[11:22.840 --> 11:29.040]  necessarily going to be secure tomorrow. So you have to have a process for monitoring devices
[11:29.040 --> 11:34.440]  that are on the market. You have to have a process for intaking information on potential issues to
[11:34.440 --> 11:38.380]  include cybersecurity and non-cybersecurity issues. And you have to have a process for
[11:38.380 --> 11:44.200]  figuring out what you're going to do with it. And so FDA has post-market guidance on all of that,
[11:44.200 --> 11:50.560]  that essentially says to manufacturers, here are some suggestions that you really should follow
[11:51.980 --> 11:56.600]  around what you should do for medical device cybersecurity vulnerability that happens once
[11:56.600 --> 12:01.880]  your device is on the market. There's a lot of things there. There's specific regulations on
[12:01.880 --> 12:07.620]  when you have to have a recall. But I think the biggest one for cybersecurity is it is in that
[12:07.620 --> 12:12.360]  guidance that you should have a coordinated disclosure program. So you should have a way
[12:12.360 --> 12:17.800]  to intake information from third parties, typically cybersecurity researchers, but it can be anybody,
[12:18.920 --> 12:22.480]  on cybersecurity vulnerabilities. And then once you have it, and this is a really key part that
[12:22.480 --> 12:26.100]  some people sometimes forget, you can't just take the information and be like, yeah, great, thanks,
[12:26.960 --> 12:31.040]  you actually have to then take the information and do something with it.
[12:31.660 --> 12:35.900]  And so that's sort of that last part of that post-market phase is if there is a vulnerability,
[12:36.480 --> 12:41.620]  how are you going to evaluate it within your company? How are you going to communicate that
[12:41.620 --> 12:45.160]  you've had a vulnerability and what you're doing about it to the agency? Because you have to tell
[12:45.160 --> 12:49.940]  us. And then how are you going to tell the public? Where it's appropriate to tell the public that
[12:49.940 --> 12:53.740]  there's been some kind of issue, what is that going to look like? How are you going to talk
[12:53.740 --> 12:59.160]  about it? What are you going to do for patients? All of that. So that's that post-market phase.
[13:03.860 --> 13:07.500]  So this involves a lot of cooperation with the private sector.
[13:07.500 --> 13:11.320]  What have been your experiences cooperating with the private sector?
[13:11.320 --> 13:14.960]  And you mentioned that companies are improving in the way that they're
[13:14.960 --> 13:19.560]  engaging with security researchers. Can you tell us a little bit about
[13:20.100 --> 13:24.000]  some of those dynamics and maybe share a few success stories of coordinating?
[13:24.000 --> 13:31.580]  Absolutely. Yeah, so I think what I would start out with is way back in the day when I was still
[13:31.580 --> 13:38.680]  in Congress, when medical device vulnerabilities were still sort of, I mean, they're still sexy
[13:38.680 --> 13:44.500]  today, you know, who doesn't love a your medical device can kill you headline. But when they
[13:44.500 --> 13:49.860]  when they're a little bit more new, they're a little bit more novel. What we would typically
[13:49.860 --> 13:55.080]  see happen is medical device manufacturers would get contacted by security researchers,
[13:55.080 --> 14:01.780]  and they would just be so confused. Who is this person? How did they figure this out?
[14:01.780 --> 14:06.340]  What is going on? And usually, and Andrew, you probably know this better than anybody, they're
[14:06.340 --> 14:12.180]  like, sue them, sue them right now, make it so they can't talk about it, make it so that they
[14:12.180 --> 14:18.580]  clearly broke the law when they did this research. And so somebody like make them stop. And that was
[14:18.580 --> 14:23.600]  really how it was handled. You have these security researchers who were like, hey, I found this
[14:23.600 --> 14:29.820]  problem. Do you do you want to know about it? And they were very good faith. But there was just,
[14:29.820 --> 14:35.120]  it was such a new thing for these manufacturers. And there was so much in, you know, to give them
[14:35.220 --> 14:39.640]  a little bit of credit or to have a little bit of sympathy for the manufacturers. There's a lot
[14:39.640 --> 14:46.140]  that rides on them not having issues, you know, obviously, they're a heavily regulated industry.
[14:46.140 --> 14:50.380]  If there is a problem with their medical device, there's consequences, you know,
[14:50.380 --> 14:55.560]  whether those are regulatory consequences, or they are getting sued, or whatever it is,
[14:55.560 --> 15:04.800]  patient harm consequences, it's a big deal. And so it took them a significant amount of time
[15:05.420 --> 15:13.620]  and a significant amount of work by a lot of discrete parties within the security research
[15:13.620 --> 15:19.740]  community. I'm sure, Andrea, you played a role in this. Josh Corman, Bo Woods, Katie Masuris,
[15:19.740 --> 15:26.460]  Nina Ali, a lot of these folks put in a lot of time and effort to actually sit down with the
[15:26.460 --> 15:30.780]  medical device manufacturers and others, you know, this was also going on in auto and energy and other
[15:30.780 --> 15:37.220]  sectors, and essentially be like, look, we come in peace, like, we're really just trying to help
[15:37.220 --> 15:44.520]  you here. And over time, as you know, we had also some visionaries on the medical device side,
[15:44.520 --> 15:49.520]  and certainly my boss, I can't take credit for this, I wasn't at FDA at this time, but Dr. Suzanne
[15:49.520 --> 15:56.700]  Schwartz, Dr. Seth Carmody, Dr. Afton Ross, they actually sort of also went out on a limb
[15:57.380 --> 16:02.300]  and began to embrace the security research community. There were some of these visionaries
[16:02.300 --> 16:08.120]  at these medical device manufacturers, Colin Morgan, Rob Suarez, Michael McNeil,
[16:08.700 --> 16:15.200]  others who really took the lead on recognizing that coordinated disclosure, and just the ability
[16:15.200 --> 16:22.520]  to be given information in a friendly way, rather than a blackmail way, helped everyone.
[16:23.460 --> 16:32.120]  And so from about, I don't know, 2015-ish to now, what we see much, much, much more frequently
[16:32.120 --> 16:37.980]  is the security researchers go directly to the medical device manufacturers who receive them
[16:37.980 --> 16:42.360]  with open arms, they have this continuous dialogue that we don't even know about for
[16:42.360 --> 16:48.480]  weeks, months, however long it takes place, and then at some point prior to the public disclosure,
[16:48.480 --> 16:55.380]  they come to us as a united front and essentially say, hey, this awesome guy over here, whoever
[16:56.800 --> 17:01.500]  found a cybersecurity vulnerability, they told us about it, here's all the things that we've done,
[17:02.320 --> 17:08.200]  they agree, they've checked our math, they think that it's correct, and we're going to
[17:08.200 --> 17:11.620]  just close on this day, we're going to do this, this is our plan for post-market,
[17:11.620 --> 17:18.060]  as we had discussed before. And it's a much smoother, it's a much more collaborative,
[17:18.060 --> 17:23.520]  and it's a much more effective process for us as an agency, so we're not having to stand over
[17:23.520 --> 17:30.500]  everyone and check their work. And it really just benefits patients overall that we all have these
[17:30.500 --> 17:38.620]  relationships. If you were looking for specifics, like specific disclosures that I could point to,
[17:39.060 --> 17:45.020]  I'm trying to think, like, what are some of the best examples that we've run into lately? It's
[17:45.020 --> 17:50.380]  been a little bit confused with COVID, as everyone can, I think, probably sympathize with, because
[17:50.380 --> 17:55.580]  there's a lot going on. But maybe one that I'll point out, too, this is the last one that FDA did
[17:55.660 --> 18:08.320]  a safety communication on. This is a cross-industry problem with Bluetooth low energy,
[18:08.320 --> 18:12.200]  and it didn't just happen in the healthcare sector, but we were the ones who ended up kicking
[18:12.200 --> 18:18.840]  off a lot of the response. But the researchers were in Singapore, the vulnerabilities impacted
[18:18.840 --> 18:25.060]  just numerous medical device manufacturers. But what was really impressive about that
[18:25.060 --> 18:30.740]  is our ability to connect the researchers to the medical device manufacturers and the
[18:30.740 --> 18:33.520]  researchers' willingness to be connected to the medical device manufacturers
